#52 ipa-getcert does not reach IPA server if cert issued by other CA
Opened 2 years ago by admiyo. Modified 2 years ago

Fedora 24:

mod_ssl generates a selfsigned certificate. If you attempt to reuse this cert file and have cermonger manage it:

sudo ipa-getcert request -w \
-f /etc/pki/tls/certs/localhost.crt \
-k /etc/pki/tls/private/localhost.key \
-N overcloud-controller-0.ayoung-dell-t1700.test,O=ayoung-dell-t1700.test \
-K HTTP/overcloud-controller-0.ayoung-dell-t1700.test

The resulting cert is still the selfsigned, but listed as managed by the IPA CA.

When certmonger starts tracking a cert for the first time, it should probably do a sanity check of the issues. With a CA like IPA, it should treat it as a resubmit with a new CSR and the existing key.


To me, the big issue here is that apparently if a certificate is present in the -f file, 'getcert request' will just adopt it rather than requesting a new one. In the help message for getcert it says:

request         request a new certificate from a CA
start-tracking  begin monitoring an already-issued certificate
...

Based on this, I would expect 'request' to always submit a request to the CA even if a certificate (self-signed or otherwise) is present locally. If you want to track but not resubmit an existing cert, the correct command is 'start-tracking'. However, this is not what happens:

[root@vm ~]# md5sum /etc/pki/tls/certs/localhost.crt
c22ded4b3ad0561637b9a04de6503f9b  /etc/pki/tls/certs/localhost.crt
[root@vm ~]# ipa-getcert request -w -f /etc/pki/tls/certs/localhost.crt -k /etc/pki/tls/private/localhost.key                                                                                              
New signing request "20160630181846" added.
[root@vm ~]# ipa-getcert list
Number of certificates and requests being tracked: 1.
Request ID '20160630181846':
        status: MONITORING
        stuck: no
        key pair storage: type=FILE,location='/etc/pki/tls/private/localhost.key'
        certificate: type=FILE,location='/etc/pki/tls/certs/localhost.crt'
        CA: IPA
        issuer: E=root@vm.example.com,CN=vm.example.com,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=--
        subject: E=root@vm.example.com,CN=vm.example.com,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=--
        expires: 2017-06-30 18:15:46 UTC
        key usage: digitalSignature,nonRepudiation,keyEncipherment
        pre-save command: 
        post-save command: 
        track: yes
        auto-renew: yes
[root@vm ~]# md5sum /etc/pki/tls/certs/localhost.crt                                                                                                                                                       
c22ded4b3ad0561637b9a04de6503f9b  /etc/pki/tls/certs/localhost.crt
[root@vm ~]# ipa-getcert resubmit -i 20160630181846
Resubmitting "20160630181846" to "IPA".
[root@vm ~]# ipa-getcert list
Number of certificates and requests being tracked: 1.
Request ID '20160630181846':
        status: MONITORING
        stuck: no
        key pair storage: type=FILE,location='/etc/pki/tls/private/localhost.key'
        certificate: type=FILE,location='/etc/pki/tls/certs/localhost.crt'
        CA: IPA
        issuer: CN=Certificate Authority,O=DOMAIN.EXAMPLE.COM
        subject: CN=vm.example.com,O=DOMAIN.EXAMPLE.COM
        expires: 2018-07-01 18:19:41 UTC
        dns: vm.example.com
        principal name: host/vm.example.com@DOMAIN.EXAMPLE.COM
        key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command: 
        post-save command: 
        track: yes
        auto-renew: yes
[root@vm ~]# md5sum /etc/pki/tls/certs/localhost.crt
e637e23503ccb2e11f0dee714ab7e32f  /etc/pki/tls/certs/localhost.crt

Metadata Update from @benlipton:
- Issue set to the milestone: 0.0 NEEDS_TRIAGE

2 years ago

Login to comment on this ticket.

Metadata